InfoSci®-Journals Annual Subscription Price for New Customers: As Low As US$ 4,950

This collection of over 175 e-journals offers unlimited access to highly-cited, forward-thinking content in full-text PDF and XML with no DRM. There are no platform or maintenance fees and a guarantee of no more than 5% increase annually.

Receive the complimentary e-books for the first, second, and third editions with the purchase of the Encyclopedia of Information Science and Technology, Fourth Edition e-book. Plus, take 20% off when purchasing directly through IGI Global's Online Bookstore.

Take 20% Off All Publications Purchased Directly Through the IGI Global Online Bookstore: www.igi-global.com/

Abstract

Forensics investigators encounter many challenges when it comes to digital evidence: the constantly changing technology that may store evidence, the vast amounts of data involved, and the increasing use of encryption. Cryptography, when used correctly, can prevent any useful information from being retrieved and is encountered in the use of communication protocols, whole-disk encryption, password managers, and so forth. There are some techniques that can assist the investigator when encountering encrypted material. Simple password-based systems can be brute-forced, and live memory capture can obtain key material directly. It has been suggested that the ciphertext length can be used to conclusively determine the plaintext (McGrath, Gladyshev, & Carthy, 2010). In this paper, the authors devise an experiment to test this claim. Based on the results, they argue that there are flaws with this approach.

Article Preview

Previous Work

Ideally, a forensics investigator would have a back-door to any cryptography that they might encounter. Such mechanisms have long been proposed (Denning & Branstad, 1996), but have not seen widespread adoption. Occasionally there are mistakes in the implementation of cryptography that have lead to weaknesses (e.g. a software bug caused predictable keys in the Debian OpenSSL package, Bello, 2008), but the number of cases is small, and one cannot rely on them being present.

In spite of the obstacles, a good deal of research has been undertaken on what options are available to a forensics investigator in the face of encrypted evidence. The majority of the work to date has focused on capturing keys from live memory. Shamir and Someren (1999) proposed a method for detecting high entropy as a tell-tale aspect of RSA keys. Klein (2006) instead looked for the common formats and syntax of keys and certificates. Halderman et al. (2009) extended the timeframe during which keys in memory could be captured, by freezing the RAM and using error-correction techniques.

The problem addressed by McGrath, Gladyshev, and Carthy (2010) was that of a forensic investigator analysing a suspect's hard-drive where there were concerns about the use of encryption, namely PGP/X.509 or compatible software. The investigator wishes to obtain all cryptographic material and, where possible, determine what was encrypted and to whom it was sent. Access to public key servers is assumed to be available.

Searching for Artefacts

The first step described in the methodology is to search for keys and encrypted files on the suspect's hard-drive. File signatures (fixed byte patterns that always appear at the start of the file) for public key and ciphertext files were determined for various key sizes (512, 1024, and 2048-bit key strengths).